Tornado Cash Sanctioned by OFAC: What Does This Mean for DeFi?

Vladimir -

The Office of Foreign Assets Control (OFAC), part of the U.S. Treasury, sanctioned crypto mixer Tornado Cash. All U.S. persons and entities are prohibited from interacting with Tornado’s smart contracts that held over $400 million.

In this post, we explore what Tornado Cash is, why it was sanctioned, how the DeFi community reacted, and what this could mean for crypto and Web3.

What is Tornado Cash?

Tornado Cash is a decentralized, non-custodial protocol that seeks to improve on-chain privacy on Ethereum and EVM networks.

In practice, anyone could deposit ETH or supported tokens into the pool from one address and receive them at a fresh address. By using zero-knowledge proofs, Tornado’s smart contracts can prove that a deposit was made without revealing any information about it. This severs the on-chain link between the original and the fresh address.

This was a hugely popular service for legitimate reasons: you might not always want to reveal the full history of your on-chain transactions.

Since 2019, over 12,000 unique addresses deposited over $7 billion worth of crypto into Tornado, according to a Dune analytics dashboard.

Some of these addresses participated in high-profile hacks and exploits — law enforcement agencies were always paying close attention to Tornado.

What is OFAC? And what happened?

The Office of Foreign Assets Control (OFAC) is the arm of the US Treasury that is responsible for enforcing sanctions according to the US foreign policy. It publishes lists of individuals and companies related to countries subject to US economic and trade sanctions.

The OFAC sanctioned Tornado for allegedly laundering $7 billion in crypto, including $455 million stolen by the Lazarus Group, a North Korea-sponsored hacker group.

The on-chain activity also points to addresses associated with high-profile hacks:

  • $96 million from Harmony bridge attack,
  • $7.8 million from the $190 million Nomad bridge hack.

It’s not the first time the OFAC went after crypto mixers. In May, the OFAC already sectioned Blender.io, a Bitcoin mixer.

What OFAC sanctions mean

Sanctions by OFAC prevent any U.S. person (an individual or a company) from any interaction with the sanctioned.

Of course, sending a transaction to any of the Tornado addresses is off-limits.

But the interpretation of OFAC sanctions usually goes far beyond financial services. For example, Tornado already confirmed that:

  • Tornado Cash’s GitHub was blocked as well as personal Github accounts of individual contributors,
  • All USDC on Tornado Cash contracts were frozen by stablecoin issuer Circle,
  • Alchemy no longer powers the Tornado Cash website,
  • Infura RPC banned,
  • ETH.Limo (an alternative to Cloudflare’s eth.linkdomain) censored Tornado.

The penalty for violating OFAC’s sanctions could include up to 30 years in prison. It’s nor surprising that many services reacted so swiftly.

If you want to dive deeper into the legal implications, Ledger’s Global Head of Policy Seth Hertlein has put together a great thread.

Twitter

Impact on assets: USDC, USDT, WBTC, DAI

The OFAC’s decision will likely have an impact on some of DeFi’s major assets.

Circle, the issuer of USDC, already banned 75,000 USDC belonging to unsuspecting Tornado users, as well as 149 USDC donated to the project. A total of 4 million USDC is now in banned addresses (not only related to Tornado).

USDT, issued by Tether, can also be blacklisted. Although over 400 million USDT is in banned addresses, so far Tether has not blacklisted sanctioned Tornado addresses, according to a Dune dashboard.

WBTC, the wrapped Bitcoin, is issued by BitGo, a US company, They will likely need to do something to prevent services to sanctioned addresses.

MakerDAO’s DAI is decentralized and cannot be blacklisted at the smart contract level. However, MakerDAO currently accepts USDC and WBTC as collateral. They might have to review how they treat these assets.

DEXes and other DeFi protocols that deal with tainted tokens could be viewed as violating sanctions. How this would be treated or enforced remains to be seen.

DeFi’s reaction

The DeFi community took to Twitter to express their concerns.

Ryan Sean Adams, the co-founder of Bankless, made his view clear:

Twitter

Co-founder of Stacks called for solidarity:

Twitter

The co-founder of dYdX referred to this as a dangerous precedent:

Twitter

Messari’s co-founder noted that both alternatives are bad:

Twitter

Vitalik admitted using Tornado to donate to Ukraine:

Twitter

Aave’s co-founder drew attention to the hypocrisy of the move:

Twitter

And some anons simply sent ETH to Twitter celebrities to prove their point — nobody can decline a transaction from Tornado Cash.

joseph.eth first tweeted this

Zerion’s view is expressed by co-founder & CEO Evgeny Yurtaev:

“Zerion Inc, as a US company, will always comply with all relevant US rules and regulations. Yet balancing innovation, safety, transparency, and the right to privacy is hard. Regulators will need to come up with entirely new approaches. We’re always open to help in any way we can.”

What’s next?

Tornado was a popular privacy service with thousands of users. Bad actors also used it, just like with cash and bank accounts.

The OFAC’s decisions might have wide implications for the DeFi space. There’s no shortage of opinions. Let’s see how this will play out.